Scaling Trust: An Anthropology of Cyber Security (Renewal)
Lead Research Organisation:
University of Warwick
Department Name: Centre for Interdisc. Methodologies
Abstract
Scaling Trust is an interdisciplinary research project drawing on resources from anthropology, sociology, communication studies, literary theory, philosophy of science and computing. Using interviews, textual analysis, workshops and ethnography, Scaling Trust examines recent transformations in Cyber Security across four distinct domains, and asks: how are novel models and methods reshaping trust and securing in contemporary society? How do new forms of narrativizing threats, problems of technology and scale, and security solutions define what a secure future may be?
A) In the initial period of the fellowship, we investigated current transformations in technology assurance. Security in this domain has been treated as a quality of technical products, a quality that can be tested and measured in an evaluation lab. In recent years, we can observe increasing awareness of unintended side effects of reliance on trusted products and the rise of new approaches focused on risk and the quality of communication.
B) We also, in the initial fellowship period, examined the emergence of 'de-perimeterised' security models, today most prominently associated with 'Zero Trust' IT architectures. We examine the nature of security models in general, and how this one in particular has challenged intuitions of information security as the protection of an 'inside' of a private network, and focussed attention instead on asset value. This formulation of the object of securing has profound implications for what counts as a security technology, and for how users/people are positioned and treated.
C) In the renewal period, we will conduct an empirical study of the 'DevSecOps' movement, a movement that aims to reconfigure organisations, so that security, here understood as an organisational function, is no longer in a 'silo', but becomes integrated in collaborative multi-function delivery teams. The focus on social architecture here draws on classic organisational thinking in software development, such as Conway's law (that technology tends to inherit a pattern of organisation from the structure of teams who made it), on 'Secure by Design' concepts, and is driven by the demands of continuous delivery methodologies. Securing is here understood as what a part of an organisation does, alongside developing, maintaining and operating.
D) During the renewal period, we also build out a study of the recent emergence of hardware-based vulnerabilities, such as Rowhammer, SPECTRE and Meltdown, which have fundamentally challenged some of the certainties upon which security reasoning was built. These vulnerabilities drew attention to the level of hardware as a source of uncertainty, challenging the notion that security can be understood via analysis of logics implemented in software. In addition to preventing attacks, securing thus becomes a matter of being responsive to novel vulnerabilities as they emerge.
In Scaling Trust, we examine the narrativization of security, how securing is constituted as a meaningful activity in distinct, but intersecting ways, as these expert domains undergo transformation: how security is variously posed as a problem of A) evaluation, B) architecture, C) organisation and D) function. If, as we argue, the nature of cyber security is not fixed, but rather refracts through a number of expert practices, it is important to examine and make sense of how it is changing and the implications for society, for organisations and for policymakers.
Scaling Trust includes a portfolio of engagement activities with policymakers and with organisations. It involves the use of a palette of qualitative research methodologies, but also the development of a new participatory workshop format, called 'Trust Mapping' for organisations and researchers. It is a fellowship project, and thus also involves investment in the PI, Dr Matt Spencer, supporting his career trajectory and development of a position of research leadership in cyber security.
A) In the initial period of the fellowship, we investigated current transformations in technology assurance. Security in this domain has been treated as a quality of technical products, a quality that can be tested and measured in an evaluation lab. In recent years, we can observe increasing awareness of unintended side effects of reliance on trusted products and the rise of new approaches focused on risk and the quality of communication.
B) We also, in the initial fellowship period, examined the emergence of 'de-perimeterised' security models, today most prominently associated with 'Zero Trust' IT architectures. We examine the nature of security models in general, and how this one in particular has challenged intuitions of information security as the protection of an 'inside' of a private network, and focussed attention instead on asset value. This formulation of the object of securing has profound implications for what counts as a security technology, and for how users/people are positioned and treated.
C) In the renewal period, we will conduct an empirical study of the 'DevSecOps' movement, a movement that aims to reconfigure organisations, so that security, here understood as an organisational function, is no longer in a 'silo', but becomes integrated in collaborative multi-function delivery teams. The focus on social architecture here draws on classic organisational thinking in software development, such as Conway's law (that technology tends to inherit a pattern of organisation from the structure of teams who made it), on 'Secure by Design' concepts, and is driven by the demands of continuous delivery methodologies. Securing is here understood as what a part of an organisation does, alongside developing, maintaining and operating.
D) During the renewal period, we also build out a study of the recent emergence of hardware-based vulnerabilities, such as Rowhammer, SPECTRE and Meltdown, which have fundamentally challenged some of the certainties upon which security reasoning was built. These vulnerabilities drew attention to the level of hardware as a source of uncertainty, challenging the notion that security can be understood via analysis of logics implemented in software. In addition to preventing attacks, securing thus becomes a matter of being responsive to novel vulnerabilities as they emerge.
In Scaling Trust, we examine the narrativization of security, how securing is constituted as a meaningful activity in distinct, but intersecting ways, as these expert domains undergo transformation: how security is variously posed as a problem of A) evaluation, B) architecture, C) organisation and D) function. If, as we argue, the nature of cyber security is not fixed, but rather refracts through a number of expert practices, it is important to examine and make sense of how it is changing and the implications for society, for organisations and for policymakers.
Scaling Trust includes a portfolio of engagement activities with policymakers and with organisations. It involves the use of a palette of qualitative research methodologies, but also the development of a new participatory workshop format, called 'Trust Mapping' for organisations and researchers. It is a fellowship project, and thus also involves investment in the PI, Dr Matt Spencer, supporting his career trajectory and development of a position of research leadership in cyber security.
People |
ORCID iD |
| Matthew Spencer (Principal Investigator / Fellow) |